An actual suggestion (Re: [GIT PULL] Kernel lockdown for secure boot)

Jann Horn jannh at
Wed Apr 4 16:23:28 UTC 2018

+ast at

On Wed, Apr 4, 2018 at 6:17 PM, David Howells <dhowells at> wrote:
> Andy Lutomirski <luto at> wrote:
>> 3. All the bpf and tracing stuf, etc, gets changed so it only takes
> Uh, no.  bpf, for example, can be used to modify kernel memory.

I'm pretty sure bpf isn't supposed to be able to modify arbitrary
kernel memory. AFAIU if you can use BPF to write to arbitrary kernel
memory, that's a bug; with CAP_SYS_ADMIN, you can read from userspace,
write to userspace, and read from kernelspace, but you shouldn't be
able to write to kernelspace.
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at
More majordomo info at

More information about the Linux-security-module-archive mailing list